The extent of electronic vandalism and other computer-related crime is unknown. Annual losses in the United States due to computer crime have been estimated at $2 million to $730 million, but these figures are suspect; several studies have estimated that only 1 percent of all computer crime is detected, and the Federal Bureau of Investigation (FBI) estimates that of crimes that are detected, only 14 percent are reported.1 In any case, it is clear that security on electronic networks is a growing concern.2 Antivirus programs have become almost ubiquitous, and, as Eberhard Wunderlich of AT&T noted at the November workshop, there is a trend toward moving beyond user passwords to smart cards for access control, encryption, and electronic signatures. In the first half of 1994, concerns for security on the Internet were prompted by a rash of penetration attempts, many of which were successful.3
But technology cannot guarantee absolute security. Forum participants
indicated, for instance, that a system operator may have difficulty detecting a fraudulent (i.e., stolen) user identification, particularly one forged by an expert. As Mitchell D. Kapor, co-founder and chair of the Electronic Frontier Foundation, said, "There's always some tiny fraction of the elite that is, in fact, technically capable of inflicting huge amounts of damage. …"
For those cases in which damage does occur, some remedy may be found in the law, though even this remedy is subject to the caveat that its efficacy depends on the reality of enforcement. If a district attorney refuses to prosecute or the civil courts take too long to handle a lawsuit, the determination of trespass or theft becomes an academic discussion.
SCENARIO 1: VIRUS DAMAGES BULLETIN BOARD
A computer club at a local high school sets up a dial-in bulletin board, using equipment bought for the club by a banker whose son is club president. The bulletin board is set up at the club president's home, and it can exchange messages with other bulletin boards across North America. The banker also has a computer system for working at home that is tied directly into the club's computer; the banker's computer is used to write a public newsletter for his bank. The telephone number of the bulletin board is distributed through a national magazine, and over time, the following activities are taking place on the bulletin board, although no club members are involved in any of these activities:
Stolen credit card numbers are posted;
Hate messages are sent to Canada, where such messages are illegal;
A program is posted in a public space by Joe, a nonmember, and others download the program and discover that it contains a virus that causes considerable damage; and
A second program is posted that is designed to disrupt network services when run on a computer connected to a national network such as the Internet or CompuServe.
Issue: Criminal Liability
Club members have no criminal liability for failing to monitor the activities in this scenario, said Scott Charney, chief of the Computer
Crime Unit at the Justice Department. If a potential criminal case involving a computer warranted an investigation, both the law and sensible policy would dictate use of the least intrusive means, such as a subpoena, to obtain information, he said. However, the answers to several questions might alter this response. The first question is how prosecutors learned of the problem; the club members themselves might have reported it, for example, thereby inviting an investigation.
The second and more complicated question involves intent. "Suppose, for example, that the people running this board knew about the illegal access codes and were actually fostering it and encouraging it," Charney said. "That doesn't mean the [bulletin board] is any less valid, but those running it may not be innocent third parties anymore. And how do you investigate that and get the evidence you need without infringing on the newsletter, which is protected under the First Amendment to the Constitution?"
If they pursued the virus case in Scenario 1, federal prosecutors would not seize equipment or search the bank computers, because neither the bulletin board nor the bank is involved in criminal activity, Charney said. In fact, it is not clear whether there is any criminal case at all; if the bulletin board is open to the public, then Joe, even as a nonmember, has access authority and hence no criminal liability, because the statute under which criminal liability is imposed requires unauthorized access.
Issue: Deficiencies in the Laws
Mark Rasch, an attorney with the firm Arent, Fox, Kintner, Plotkin, and Kahn, said Joe's inappropriate behavior has two elements: possible unauthorized access to the bulletin board and uploading the computer virus. Since Joe is arguably an "authorized" user (anyone could be an "authorized" user of a public bulletin board system, and 18 U.S.C. Section 1030 simply prohibits unauthorized access), Joe might well escape any liability at all. As for the uploading of the computer virus, "Prosecutors must prove Joe's intent. Why did he do it? The way the federal law is structured right now, if Joe accesses with authorization, even with intent to destroy and damage all the information in that computer, the computer crime statute says he is not guilty of a crime, because it is his initial access [that the law focuses on]."4
Rasch suggested that legislators based the law on an imperfect analogy—an office break-in, where no matter what intruders do in the office, they are guilty at minimum of trespassing. Although the analogy falls short, Rasch said lawmakers have relied on such analogies because of the lack of common experience in the environment of electronic networks. "When we see crimes in society, we can relate to them as criminal acts because we have a common experience about what is a crime and what is not a crime," he said. "And when we deal in cyberspace and we deal in the electronic environment, we don't have those experiences. We don't have those common human judgments. We don't have that ethical standard to fall back on. So then we end up … trying to draw analogies."
Kent Alexander, now U.S. attorney for the Northern District of Georgia, said Joe has extensive criminal and civil liability but that prosecuting him would be a challenge. Alexander said the Computer Fraud and Abuse Act of 1986 seldom applies in real cases, adding that prosecutors often depend on broader laws such as the wire fraud statute (18 U.S.C. Section 1343), which applies if a telephone is used in a scheme to defraud. Alexander and Rasch both said a federal destruction-of-property statute is needed.
That prospect prompted some caution. For example, Marc Rotenberg and Michael Godwin argued that although it was appropriate to criminalize undesirable behavior such as destruction of property and computer trespass, it was unnecessary to specify what the instrumentality of such behavior was. Godwin said the law generally approaches computers as if they were "inherently dangerous" in ways that other general-purpose tools, such as hammers, are not; he argued that this legal approach infringes on freedom of speech and that computer use should not be overregulated in this manner. Still, Alexander insisted that some computer-related laws are needed, because "cyberspace is … what we are going to live in." Rasch said, "The reason we need specific computer crime statutes is because analogies don't actually work perfectly," although he cautioned that it would be preferable to target a potential miscreant's overall strategy rather than a precise mechanism, because a vandal might be able to "engineer around" a defined mechanism.
Litigation specialist Thomas Guidoboni, of the firm Bonner and O'Connell, agreed with other speakers that the Computer Fraud and Abuse Act is flawed. He argued that victims should be able to recover damages through the civil system but that criminalizing and jailing hackers does not benefit victims, other than by serving as a deterrent. (The statute specifies punishment consisting of a fine and/or imprisonment.) He contended that, although the Congress prohibited
computer trespassing, it did not address worse wrongs (such as the malicious destruction of computer files): "They need to be educated. … [T]hey don't really know what to prohibit."
Charney said the federal law should specify the type(s) of prohibited network intrusion. He noted that the Justice Department has asked the Congress to amend the Computer Fraud and Abuse Act because the ethics of computer usage have evolved and users' roles have changed since 1986. "It's better to say, 'Look, if you upload a virus, even if you are authorized [to access the computer] … intending to damage, without authority, other people's material, that's going to be criminal.' That way, everybody has plenty of notice and you've got a statute that directly applies to the conduct." Such a statute should not criminalize legitimate work with viruses, such as in the research community, he added.
Godwin noted that federal law doesn't require that intent to damage be established, and he suggested it is bad policy for criminal laws to ignore intent. He said criminal statutes generally, and rightly, focus on the intent or mental state of the defendant, because "we try to criminalize people for setting out to do bad things, not for unwittingly doing bad things." Joe's potential criminal liability for putting out a virus that disrupts network service or that damages a "federal interest" computer5 may not reflect the proper balance between civil and criminal sanctions, Godwin suggested, because the law now "makes no distinction between someone who accidentally causes damage and perhaps a terrorist who deliberately causes damage to vital systems." Rasch countered by arguing that even if the statute itself makes no such distinction, it is possible to make distinctions in other ways, such as in sentencing; he cited the sentence in the Morris case as an example (Box 5.1), arguing that Morris was not imprisoned because the damage he caused was accidental.
Godwin noted that Morris had authorized access to the computer from which he launched the virus. Guidoboni, who defended Morris, had argued unsuccessfully that his client, as a member of the Internet community, had authorized access to all computers on the system. Guidoboni pointed out at the forum that "authorization" and "access" can be difficult to define for the Internet. Guidoboni also warned against attempting to curb computer vandalism through "foolish"
Box 5.1 United States v. Robert T. Morris, 1991
Robert Morris was one of the first to be prosecuted under the Computer Fraud and Abuse Act of 1986. As a Cornell University graduate student, Morris wrote and released onto the Internet a "worm" program designed to propagate itself automatically without harm to the host computers, but due to a flaw in its design, the Morris worm caused thousands of computers nationwide to crash on November 2-3, 1988. By itself, the worm did no permanent damage, although the estimated cost of rectifying its effects at each location involved ranged from $200 to $53,000. As a graduate student in the Cornell University computer science department, he had full and legal access to all the department's computing facilities; these facilities were connected to the Internet.
Although Morris' defense claimed the worm was a benign test of computer security that went wrong, Morris was convicted on the grounds that he intentionally accessed remote computers without authorization. He was sentenced to 3 years probation, fined $10,050, and ordered to perform 400 hours of community service, a sentence far less than the maximum permissible under law. The conviction later was upheld by a federal appeals court, and review was denied by the Supreme Court.
SOURCE: United States v. Robert T. Morris, No. 89-CR-139 (N.D.N.Y.), aff'd 928 F.2d 504 (2nd Cir. 1991), cert. denied, 112 S. Ct. 72 (1991).
censorship, noting that the government refused to release the "cure" for the Morris virus, for fear of hackers obtaining it. "So of course a lot of you people on the Internet couldn't fix what was wrong, because our government didn't want to give you the code to fix it. … [It was their effort to] prevent a perceived wrong that probably did more harm in the end."
Issue: Civil Obligations and Liabilities
Civil liabilities arise from the general principle in common law that a person who has been wronged by another person is entitled to compensation for that wrong from that other person. Charney suggested that Joe might have considerable civil liability if the damage he caused was extensive. Alexander said a civil case against Joe probably would not hold up, assuming there were no federal agents or state police involved, because hackers usually are judgment-proof.
(Hackers are usually judgment-proof because they are typically young people who have no assets to seize.) Conversely, although the father in Scenario 1 has not committed a criminal act, he probably will be sued because he and his bank are the only parties with any money, Guidoboni observed. Whether there is a valid case is doubtful, he added. Godwin noted that civil liability depends little, if at all, on the intentions of a defendant.
Godwin argued that "to a large extent, many of the issues regarding liability are not criminal law issues at all. We have a large body of civil law devoted to negligence obligations, obligations to be nonnegligent in maintaining other kinds of spaces, be it your yard or your business." He contended that, ultimately, individuals who maintain forums will have some duties of care that arise from civil obligations. He cautioned, however, that because an on-line bulletin board is a forum for speech, whatever civil obligations are imposed on a system operator must be consistent with the First Amendment.6 He further contended that distribution of virus codes or information, and general discussion of viruses, are protected by the First Amendment. "It's always very troubling to discover that someone's teenaged son or daughter has access to a potentially damaging bit of computer code," he said. "But one of the choices that we have made in living in a free society is to say we're going to allow people to be a source of a lot of risk. We're going to risk having people who have dangerous information."
SCENARIO 2: MULTISYSTEM INTRUDER DAMAGES FILES
Computer A is penetrated by an unauthorized user. The intruder uses Computer A to reach Computer B, where he causes extensive damage to files. The operator of Computer A monitors the key-strokes of the intruder, who eventually is caught. The intruder claims that the operator violated the wiretapping statute.7 Computer A did
not display a warning message regarding unauthorized access because its operators forgot to install such a message, while Computer B did not display a warning message on the premise that anyone accessing it from Computer A would be an authorized user.
Issue: Trespassing and Theft
Scenario 2 is principally a trespassing case, and it illustrates the need for computer crime statutes, Rasch said. Computer trespassing is abhorrent, he asserted, even if no damage is done, because it destroys trust in the system. The crime is different in character from a home or office break-in because the distrust lingers. "When you are a user, and you see somebody without authorization on your system, you don't know that he didn't do anything, and it can take you a very long time to come to the conclusion that he didn't do anything," Rasch said. "It would be like having a calculator that 1 out of every 100,000 times adds the numbers up incorrectly."
Rasch argued that although trespassing is a crime in itself, monetary damage also should be calculated, to adjust the level of the offense. At the same time, he raised the issue of whether stealing electronic information should be criminalized at all. "If I steal the files in your office, you know I've stolen them. If, on the other hand, I simply copy them, the law is not clear on whether I've stolen something. In a computer environment, I can steal all the information in your computer and you won't know it, and you'll still have all the information."8
Although the federal statute does not criminalize reckless or negligent actions, Rasch said negligence will become an increasingly common
basis for civil litigation. As to whether reckless actions should be criminalized, he acknowledged that this approach would help prosecute wrongdoing and encourage users to be careful, but he noted that the problem of proving a defendant's mental state would persist. He dismissed claims that intent can be difficult to prove, saying, "A person is presumed to intend the natural and probable consequences of his actions, so generally you can prove intent."
Godwin argued that the phrase "stealing information" implies that information is property, when in fact an argument can be made that information should be assumed not to be property.9 To become property and be subject to theft, information must meet certain tests, such as those imposed by copyright or trade secret laws, he said. He agreed with prosecutor Charney that privacy is the key issue in computer intrusion, just as it in wiretapping. "I think it's appropriate sometimes to criminalize intrusion and the examination and even the copying of data as perhaps the violation of a privacy interest," Godwin said. "But treating it like a theft crime, I think, doesn't help the public consciousness of … the true nature of these crimes."
While he supported the use of incentives to curb user negligence, Godwin questioned whether criminal law is the right tool. Users already have incentives to secure their systems and refrain from distributing damaging software; whether these incentives are adequate is the question, he said.
Godwin argued that criminal behavior on electronic networks should not be defined until "we actually have a sense of what the social norms are. … Many of us just say it's obvious that intruding in a computer is like intruding in your home," he said. "Believe me, if it were that obvious, then many of the people who have done computer intrusions would never have done it, because these people have never walked [without permission] into other people's homes."
Issue: Determining Damage
Assuming the two computers are in different states (i.e., a federal interest computer was involved pursuant to 18 U.S.C. Section 1030(e)(2)),
and the intruder is not authorized to access either Computer A or Computer B, the intruder could be prosecuted under the Computer Fraud and Abuse Act (Section 1030(a)(5)) if damage totaled $1,000 or more,10 Charney said. The intruder might also face a misdemeanor charge under Sections 1030(a)(2) and 1030(a)(3) if he accessed, without authorization, certain specified computers (i.e., computers used by financial institutions, card issuers, consumer reporting agencies, or the federal government).
Charney stressed the difficulty of calculating damage, a necessary task in determining whether a federal crime has been committed and how severe the sentence would be. If all the files in Computer B were destroyed, for example, it is not clear how to calculate their value, he noted. Charney also pointed out that, ironically, if the operator of Computer B had complete backup files, any federal crime effectively would be erased. "Does that make sense? I don't think so," the prosecutor observed. Of course, the victim would most likely incur costs associated with restoring the backup, changing passwords, cleaning up the system, and so on, although the cost of the "ancillary" activities might well be significantly less than the cost of recreating the destroyed files from scratch.
He applauded a recent U.S. Sentencing Commission recommendation for new sentencing guidelines for computer crime that would focus not on economic damage, but rather on confidentiality, integrity, and availability of data.11 That approach makes sense, Charney said, because in many computer offenses "the real problem is not money, it's privacy and trusted systems, and I think we need to address that."
Guidoboni agreed with Charney that damage calculations are a problem. For example, prosecutors in the Morris case claimed substantial amounts of economic damage that would have been dismissed as "speculative" in the average civil case, Guidoboni said.
Issue: Ethics and Education
Charney and Godwin agreed that computer users need ethics education.12
Charney noted that the Justice and Education departments recently published a booklet for educators on the ethical use of information technologies. Many computer hackers are not trying to damage anything; they simply are young and do not know any better, he explained. In such cases, federal agents visit the intruders' homes and tell the parents, and the problem generally stops. ''Look, there will always be some percentage of the population that has a criminal bent, and as they learn to use computers, they are going to do nasty things with them," Charney said. "But if you eliminate all these other cases that exist only because the people haven't been educated, then you can apply what limited resources you have left to the really serious cases."
Other forum participants offered conflicting perspectives on the ethical status of computer users. Lance Hoffman, professor of electrical engineering and computer science at George Washington University, felt he was "living in fantasyland, listening to some of this discussion." He suggested that the term "ethically educated computer user" might be an oxymoron, citing a class he taught in which 22 out of 23 students did not feel that stealing information was a crime. On the other hand, Rasch—as noted earlier—suggested that "stealing information" was not a crime.
Still other participants argued that many hackers have a sense of ethics, citing the Legion of Doom as an illustration. The Legion of Doom was a group of several dozen hackers who broke into telephone systems and computer networks. The group acquired widespread notoriety beginning in 1989, when federal agents raided the homes of three Atlanta members who had been trafficking in stolen access codes. One hacker had broken into a Bell South computer and obtained an administrative document. The crackdown continued into 1990, with raids in Texas and elsewhere.13
John Perry Barlow said these hackers "were astonishingly ethical people in spite of the fact that they had been raised in an environment where they had literally been without adult supervision,14 both
in their homes and in their chosen environment (i.e., the electronic networking environment). They had developed a set of ethics as a natural result of being in an environment where law simply didn't apply." Argued Barlow, "If they didn't have ethics, you would not be able to place a phone call—ever—in this country. They are amazingly careful about what they do. And there is nobody who is in a very good position to stop them." Alexander, who prosecuted the Bell South case,15 agreed with Barlow about their technical capabilities, noting that "if they had wanted to shut down service in the entire Atlanta area or up and down the Eastern seaboard or the entire country, they could have."
More recently (mid-1994), public attention has been called to the ethics issue by the National Computer Ethics and Responsibilities Campaign, which aims to provide people with the tools and pointers they need to use information technology in responsible and ethical ways. Sponsored by several different organizations,16 the campaign is undertaking a variety of activities intended to encourage serious, ongoing discussion of the issue, lend the subject credibility and impact, provide a strong rationale for commentators to focus on the issue, create a structure that gets information into the hands of people who need it, and raise public awareness. Its core message is that users of information technologies have responsibilities that are peculiar to the management, development, and use of those technologies. The campaign is not promoting any approach, "code of conduct," position, or recommendation other than the need to raise awareness of the positive and negative consequences of the analog-to-digital shift and of the fact that tools and resources exist to help people make intelligent, informed choices about how best to develop, manage, and use information technology whether it is in the home, corporation, or classroom.
Issue: Operator Responsibilities and Liabilities
System operators and network service providers have an obligation to provide security capabilities and procedures that discourage unauthorized access and/or damaging conduct. But users of these systems and services have obligations as well to use these capabilities and procedures. Guidoboni argued that system operators should assume some responsibility for security rather than depend on laws to compensate for bad management. In the Morris case, he noted, passwords had been left in files that were accessible to nearly anyone. In a similar vein, Alexander said failure to install adequate system security should neither be criminalized nor become a basis for blocking prosecution of intruders.17 He argued that common sense and the free-market system will encourage adoption of safeguards. More recently, the Clinton administration's Information Infrastructure Task Force has suggested that "users of personal information must take reasonable steps to prevent the information they have from being disclosed or altered improperly. Such users should use appropriate managerial and technical controls to protect the confidentiality and integrity of personal information."18 Such a principle argues that individuals have an active responsibility to protect information about themselves.
An important theme of the dialogue, noted by several participants, was the unusual degree of accord among the factions represented. For instance, a variety of speakers stressed the need for user ethics education. In addition, prosecutor Charney and civil liberties advocate Godwin agreed that privacy, more than theft or specific damage, is the key issue in computer trespassing. (This is not to say, however, that damage resulting from break-ins is unimportant. Indeed, even when there is no explicit damage, companies may incur substantial costs if they are forced to take a network out of service
temporarily to check it out and patch security holes. In addition, a user's sense of operating in a trustworthy computing environment may be compromised.)
Perhaps most important, a consensus emerged that federal computer crime statutes—United States Code Annotated, Title 18, Section 1030—needs to be updated, although panel members differed as to how. This statute originated with the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (Public Law 98-473) and was amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474). It provides criminal sanctions for individuals who intentionally access a computer without authorization or exceed authorized access; it does not address reckless or negligent access or intent to cause damage.
The law is difficult to apply in practice. Charney and others pointed out, for example, that insiders pose a significant threat to network security: "We're seeing a fairly dramatic increase in the number of insiders who plant viruses and other types of malicious codes because they're either disgruntled or they're on their way out the door . …" These cases are a challenge to prosecutors because the defendants had authorized access to the system. Charney said legislation has been proposed, although not passed, that would criminalize "unauthorized use" instead. Rotenberg also emphasized the threat from insiders, suggesting that the federal statute be revamped altogether to focus on actual harm and criminalizing "people who cause damage and people who intend to cause damage."
Others pointed out that the definition of "authorization" is problematic, especially in a networked environment designed to make it easy to share computing resources. As Rasch said, "We have a question of what is somebody's authorization on a network. … As a member of the Internet community, I can send electronic mail to anybody on the network. And I can access their computer, albeit for limited purposes.19 Therefore, I have authority [under one definition
of the word] to access every computer on the network. … Even worse, the problem is not just authorization, it's also exceeding authorization. So even if you are authorized to be on a system, if you exceed that authorization, you may be subject to criminal sanctions." David Hughes pointed out that "it's not just authorization on the Internet, but everything is getting connected to everything else. … It looks like we are hooking up every network possible to every network possible. … Furthermore, the information is moving, and you don't even know what systems it's going through and whether you have authorization to go through that system." In short, Hughes argued that basing criminality on whether a user has authorized access to a system can raise some perplexing questions.
David R. Johnson, a lawyer with Wilmer, Cutler, and Pickering, pointed out that the Computer Fraud and Abuse Act criminalized unauthorized access only because the Congress was concerned that criminalizing electronic destruction by users with authorized access could open up a new avenue for inappropriate prosecution of whistleblowers and others engaged in First Amendment-type activities.
Still, the concordance among the panel members was seen as a positive sign. Anne Wells Branscomb spoke for many when she observed that "the legal profession seems to have made a bridge now to the computer scientists and the user, [and the] managers of some of these systems. … [I]n the past I think they have been talking at cross-purposes, have lived in different worlds."
In summary, electronic vandalism can be characterized along at least two separate dimensions. The first involves the nature of the offense: electronic trespass, electronic invasion of privacy, and destruction or theft of electronic property. Electronic trespass can be captured by the idea that a trespasser is executing commands on a computer that he or she does not have authorization to use. Electronic invasion of privacy refers to the unauthorized examination of files in a computer. Electronic destruction of property refers to the unauthorized deletion or alteration of files in a computer.
The second dimension involves the intent or lack thereof on the part of the alleged perpetrator. With a few exceptions, the presence of intent is what determines the extent to which an alleged perpetrator can be prosecuted under criminal statutes; in the absence of intent, liability for harmful actions is generally restricted to civil liability.
Although expressed in terms relevant to computing, these notions are not new. What computing and networking primarily change is the difficulty of determining when a given offense has occurred. For example:
Trespass. The concept of trespass is grounded in physical space that can be precisely delimited. What is the analog of physical space in a medium in which physical space has lost its traditional meaning? Before networking became common, the concept of trespass could be applied to an unauthorized user sitting at a terminal hard-wired to a mainframe. The terminal was located in a physical space, and the user's presence there, if unauthorized, clearly constituted trespass against the owner of that space (who was also usually the owner of the mainframe). But when computers are interconnected all over the world, and the user may be accessing the network from his or her home and thus may not be subject to the jurisdiction of any interested party, on what is the concept of trespass based? Perhaps the unauthorized execution of commands is sufficient, although this interpretation may be problematic when execution is possible without a remote log-in that clearly demarcates a point of (authorized or unauthorized) access.
Invasion of privacy. In a physical space, an invader of privacy may well leave tracks or other evidence that he or she has opened file cabinets or closets. In many electronic environments, it is easy to view files and directories without leaving any trace whatever. Thus, the owners of a computer that has been compromised may have no idea of what information the alleged invader has obtained. (At the same time, other computer systems maintain logs, and so a trace of at least some activities may exist, whereas espionage activity may take place with paper documents, access to which may not leave any observable traces.)
Destruction or theft of property. The concept of electronic property is complicated by the fact that it, like all intellectual property, is intangible. When physical property is stolen, the original owner no longer has use of that property. Likewise, when it is destroyed, the original owner must buy it again to replace it, thus incurring a cost that is comparable to the cost of initial acquisition. But when electronic property is stolen, the original owner may not even be aware of it because he or she still has the use of it. When electronic property is destroyed, and backups are available, it can be replaced at relatively low cost.20